Analysis Overview
SHA256
52480d0a016e6df93f58ecc9a6e8d42177bd35e393406d464426a0951e206a36
Threat Level: Known bad
The file ZYu4eR.exe.zip was found to be: Known bad.
Malicious Activity Summary
PLAY Ransomware, PlayCrypt
Renames multiple (8319) files with added filename extension
Reads user/profile data of web browsers
Enumerates connected drives
Drops desktop.ini file(s)
Drops file in Program Files directory
Unsigned PE
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
Suspicious use of FindShellTrayWindow
Opens file in notepad (likely ransom note)
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-25 10:27
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-25 10:27
Reported
2023-09-25 10:31
Platform
win10v2004-20230915-es
Max time kernel
193s
Max time network
182s
Command Line
Signatures
PLAY Ransomware, PlayCrypt
Renames multiple (8319) files with added filename extension
Reads user/profile data of web browsers
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files (x86)\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Desktop\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Videos\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\3D Objects\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Contacts\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Saved Games\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Libraries\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Searches\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Downloads\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Camera Roll\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Pictures\Saved Pictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\1033\DataServices\DESKTOP.INI | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Links\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Music\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\Documents\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\Favorites\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Admin\OneDrive\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Users\Public\AccountPictures\desktop.ini | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
Enumerates connected drives
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_x64__8wekyb3d8bbwe\Assets\MixedRealityPortalMedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Templates\1033\TimelessReport.dotx | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\THEMES16\EVRGREEN\EVRGREEN.INF | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Mozilla Firefox\browser\VisualElements\VisualElements_70.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\ShareProvider_CopyFile24x24.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.SkypeApp_14.53.77.0_x64__kzf8qxf38zg5c\Assets\Images\SkypeAppList.targetsize-32_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\FileExtension.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\ProjectProCO365R_SubTrial-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Office.OneNote_16001.12026.20112.0_x64__8wekyb3d8bbwe\images\contrast-white\OneNoteSectionMedTile.scale-400.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\SmallTile.scale-200_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\StoreLogo.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\1949_24x24x32.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\GooglePromoTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_neutral_split.scale-100_8wekyb3d8bbwe\Assets\SecondaryTiles\Place\contrast-black\LargeTile.scale-100.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\db\bin\setEmbeddedCP.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\images\s_listview_selected.svg.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\js\plugins\tracked-send\images\cstm_brand_preview2x.png.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WebMediaExtensions_1.0.20875.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\contrast-black\AppList.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.Services.Store.Engagement_10.0.18101.0_x86__8wekyb3d8bbwe\Microsoft.Services.Store.Engagement.winmd | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Validator\Validator.Tests.ps1 | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\WindowsPowerShell\Modules\Pester\3.4.0\Examples\Calculator\Add-Numbers.ps1 | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-profiler.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.HEIFImageExtension_1.0.22742.0_x64__8wekyb3d8bbwe\Assets\contrast-black\AppList.targetsize-60_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg6.jpg | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsStore_11910.1002.5.0_x64__8wekyb3d8bbwe\Assets\AppTiles\StoreAppList.targetsize-48_altform-unplated.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\add-account\js\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\unified-share\js\nls\sk-sk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\VideoLAN\VLC\README.txt.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\generic-rhp-app\images\rhp_world_icon_2x.png.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\contrast-black\BadgeLogo.scale-400_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\OutlookMailWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\aicuc\js\nls\nl-nl\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\tracked-send\images\email\empty.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\Bibliography\Style\GostTitle.XSL.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.jface.databinding_1.6.200.v20140528-1422.jar | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\PAGESIZE\PGLBL095.XML | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.MixedReality.Portal_2000.19081.1301.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\MixedRealityPortalAppList.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.scale-400.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.VP9VideoExtensions_1.0.22681.0_x64__8wekyb3d8bbwe\Assets\AppList.targetsize-32.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WebMediaExtensions_1.0.20875.0_x64__8wekyb3d8bbwe\Assets\contrast-white\AppList.targetsize-256_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\visualvm\profiler\update_tracking\org-netbeans-lib-profiler-ui.xml.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\vfs\Fonts\private\GARA.TTF.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\on-boarding\images\themeless\Localized_images\es-es\PlayStore_icon.svg.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\features\org.eclipse.babel.nls_eclipse_ja_4.4.0.v20140623020002\feature.xml | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\bg3_thumb.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\contrast-white\GenericMailWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\HxA-Google.scale-150.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\uss-search\js\nls\sk-sk\ui-strings.js.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.eclipse.equinox.p2.reconciler.dropins_1.1.200.v20131119-0908.jar | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.WindowsStore_11910.1002.5.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\AppTiles\contrast-black\LibrarySquare71x71Logo.scale-125_contrast-black.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\microsoft.windowscommunicationsapps_16005.11629.20316.0_x64__8wekyb3d8bbwe\images\CardUIBkg.scale-100.HCBlack.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ZuneVideo_10.19071.19011.0_x64__8wekyb3d8bbwe\Assets\OrientationControlMiddleCircle.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\da-dk\ui-strings.js | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\javafx-mx.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.notification_5.5.0.165303\icons\alert_obj.png.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Licenses16\O365HomePremR_SubTest5-pl.xrm-ms.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\ob-preview\css\main.css.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\WebResources\Resource0\static\js\plugins\reviews\js\nls\pt-br\ui-strings.js.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Common Files\microsoft shared\ink\ipssrb.xml | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected] | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\DeletedAllUserPackages\Microsoft.Windows.Photos_2019.19071.12548.0_neutral_split.scale-125_8wekyb3d8bbwe\Assets\PhotosWideTile.scale-125.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.ScreenSketch_10.1907.2471.0_x64__8wekyb3d8bbwe\Assets\ScreenSketchSquare44x44Logo.targetsize-60_altform-unplated_contrast-white.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\WindowsApps\Microsoft.WindowsMaps_5.1906.1972.0_x64__8wekyb3d8bbwe\Assets\SecondaryTiles\TrafficHub\contrast-white\MedTile.scale-200.png | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
| File opened for modification | C:\Program Files\Java\jdk1.8.0_66\lib\missioncontrol\plugins\org.w3c.dom.events_3.0.0.draft20060413_v201105210656.jar.PLAY | C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Opens file in notepad (likely ransom note)
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\NOTEPAD.EXE | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: 33 | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe
"C:\Users\Admin\AppData\Local\Temp\ZYu4eR.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\ReadMe.txt
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 59.128.231.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 1.208.79.178.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.160.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 254.211.247.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.57.101.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 158.240.127.40.in-addr.arpa | udp |
Files
memory/3636-0-0x0000000001020000-0x000000000104C000-memory.dmp
memory/2796-10-0x0000027188580000-0x0000027188581000-memory.dmp
C:\$Recycle.Bin\S-1-5-21-919254492-3979293997-764407192-1000\desktop.ini
| MD5 | 00acde2b0ecbbd957346e8c29e82eb88 |
| SHA1 | 01b9cbab9ed41b86d6e4dda9aaf158f640ab6bdf |
| SHA256 | 55e99e35aa169acfbba3cb3dbfcbc5735faa23e2b3edb304e59d77b4b7d58dee |
| SHA512 | 27f9c944127b11eb64654a40e43c7f03d623c57bc628f45735ac0d732a772aa78d878849c6943d5aeb738e96e0c38f2dc8d8ef051eda97f612a5b019a03d7baa |
memory/2796-35-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-160-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-236-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-237-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-238-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-249-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-251-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-252-0x0000027188580000-0x0000027188581000-memory.dmp
memory/2796-250-0x0000027188580000-0x0000027188581000-memory.dmp
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.val
| MD5 | 6bd369f7c74a28194c991ed1404da30f |
| SHA1 | 0f8e3f8ab822c9374409fe399b6bfe5d68cbd643 |
| SHA256 | 878947d0ec814fe7c343cdebc05eebf00eb14f3023bdb3809a559e17f399fe5d |
| SHA512 | 8fc5f073dc9fa1e1ae47c60a5f06e0a48709fd6a4302dffaa721858409e7bde64bc6856d3fb28891090516d1a7afc542579de287778b5755eafe75cc67d45d93 |
C:\Users\Admin\AppData\Local\D3DSCache\e8010882af4f153f\F4EB2D6C-ED2B-4BDD-AD9D-F913287E6768.idx
| MD5 | d2fb266b97caff2086bf0fa74eddb6b2 |
| SHA1 | 2f0061ce9c51b5b4fbab76b37fc6a540be7f805d |
| SHA256 | b09f68b61d9ff5a7c7c8b10eee9447d4813ee0e866346e629e788cd4adecb66a |
| SHA512 | c3ba95a538c1d266beb83334af755c34ce642a4178ab0f2e5f7822fd6821d3b68862a8b58f167a9294e6d913b08c1054a69b5d7aec2efdb3cf9796ed84de21a8 |
C:\ProgramData\Oracle\Java\java.settings.cfg.PLAY
| MD5 | ad2668ebe6e654b7f69a7a0fb35668fc |
| SHA1 | b0b03631bb2ba830e26526bfb7be68f755c34b18 |
| SHA256 | 6a43c6929066f432af0e3f46df2a2d0555bf18a9e39d1f3552ea4175294ceffc |
| SHA512 | 1bdd3589535895a11ceeecde7f58c7c83f68caf80c5447bfc96f40df3c724344b6dd444386ffb3461b4e9a6c40150b666223291d51340af77d6cf84d7df9d42f |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft_Windows-10-Pro.swidtag.PLAY
| MD5 | 28ba2d31554a694746fb20b2fe0ccb1e |
| SHA1 | a21fae51ebb1eca1e6c4c428154fe7a24f08d31b |
| SHA256 | 9683676c7185890904aef0005bc0a2717a6401f806bbb1569214ee39275244a6 |
| SHA512 | 390e4722f72647d09f5f90f0fbf9052ebd92b0801fc84540590a9401741b7c4eadf65e0d973a1e268014d82c9fda739f79581b3effa2bcfb4da3f6e5c35429aa |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Localization Component.swidtag.PLAY
| MD5 | 54ad41a04d3a7e450170a5007dfa86cc |
| SHA1 | d6052f1a21de59399a1e4c0e25018ce1ba785759 |
| SHA256 | f57c7ff208b42402ec19e0b4a8dbbb8df27d63651f1b859531af737583da43bd |
| SHA512 | 0110ba4ca70433ac5ab7547d5b5734d2e26f1729a349f2ea10dbeb781bdfdd893d6f38419e3e9c4f9374167b2319dd103418f5b0b1b78beb3f945171718053a4 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Licensing Component.swidtag.PLAY
| MD5 | 2a31f094448d8d7cca1ecfad616b82f5 |
| SHA1 | 09f5b1e05bdd9bf74fb5fafa96941e50f6d9534b |
| SHA256 | 69d2251be2853af5c338c9d34c56ca0976a64397a1d0beb80ed13e5a8f621a39 |
| SHA512 | 47f2161139dd5fe867ae8c3c6f9feaeeb911f85561e3427eb25dfb57d6ded5e2d973afa48e6a8a1ba03597fee172607f6536dba2eb6c296ddceec127cdd2a310 |
C:\ProgramData\regid.1991-06.com.microsoft\regid.1991-06.com.microsoft Office 16 Click-to-Run Extensibility Component.swidtag.PLAY
| MD5 | 14ef8f4a0fcb1c01280755e1b371fc88 |
| SHA1 | 1c410c634a970597155b35eefdad9f1326f38431 |
| SHA256 | 23a95da89daf94e42b28b835f5ace55d2213bed6ccf6da92854a2dcaa059afc4 |
| SHA512 | a32ba511364dbd1fde361c0bf24cc58cd30873fc667eafbcebef78bb7c95dc1c913b7821596e2a6dfa55bd9bc8c2e072b32a372f62561e700ef04b51f34cf639 |
C:\ProgramData\Package Cache\{F6080405-9FA8-4CAA-9982-14E95D1A3DAC}v14.30.30704\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 8c2919a0a4fd324bd1c6d7c8f214cbc3 |
| SHA1 | 8a07357b8dedf86adc6856045e849ee33fc9efd6 |
| SHA256 | 3307bfd2aba89a89eae6fea6d89333fe9d3a826c591e17a80d1a9ae8ee12340d |
| SHA512 | 65baf3981aad307dca035f18e28f181f156608fd99d61ae6c8536eaa8e51ddf6bb1b13aa6a1d485a8f34f1594bbaef3bea0f6f9fb44350e92d55083333e6d098 |
C:\ProgramData\Package Cache\{ef6b00ec-13e1-4c25-9064-b2f383cb8412}\state.rsm.PLAY
| MD5 | ea62cac5634e33402fd950bdc570a667 |
| SHA1 | 326c9539f98cbd8f390261ffcbe649a1d4042a0e |
| SHA256 | 6307cf162ae934e781839f1bff68893aadabed5a5419d7003d10e6abcc06accb |
| SHA512 | 49062e22fd7ba6f49a687f7938cabc41e023ccef92d020815d44c0f308c83181b5c62e0010f22ea2f2a4cd7a0250d09858821edbba9a183f2bee75cd31265794 |
C:\ProgramData\Package Cache\{E30D8B21-D82D-3211-82CC-0F0A5D1495E8}v12.0.40660\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | e085d52282ac974bf3b618a1b997ec3e |
| SHA1 | ae8015d15bc488a270cafe83a0777db3c42f4d62 |
| SHA256 | ba6fe0d8f25f56ba7c8784bc4cc9269a002173cd91eeb4e326eb90ebe87a49f3 |
| SHA512 | 890a82d7b3c28f086c671894b8e3eb3841165f2fb3f650a8afbbb8496b256a78601529dd47e63f7ca2bfb5a4cfac6425be22606dd84a58c19c3b839a6218239f |
C:\ProgramData\Package Cache\{CF2BEA3C-26EA-32F8-AA9B-331F7E34BA97}v11.0.61030\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 81b4d59d2a9eb0f6c86838ac3c7ff695 |
| SHA1 | 38885507972d1fc9dbed6f5e1153e8936131649c |
| SHA256 | 431d6115d99b426f5c0f114b5f464a15c464f5a086ecfbd0322985def181efde |
| SHA512 | a3879b72e1bcfc0a68208e0236e3ffa0a8211e4067a0144eb29f078d2ea7c979c81122212ec2d8bf0bc722049b32722f551ceb33f54534af514b132be46dc011 |
C:\ProgramData\Package Cache\{CB0836EC-B072-368D-82B2-D3470BF95707}v12.0.40660\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | 817e1bd5ccdc91acd0d570fe34711fb5 |
| SHA1 | 2bda95facff65af45fe0f55b3a135b01f69efd9f |
| SHA256 | deb231e8175b6d1e2281c19d2d9de2379b0ca9db9764be3d49d92f825f1a76f7 |
| SHA512 | b39a92710dcc5ed29bf8d7c22467c17abab5890b65d2e7c41645430f304a3c77718ff9ee785c8990c61c3c9a4f6ebaa878aab1a567b78f052b91e04c470a7f72 |
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\state.rsm.PLAY
| MD5 | 7d99249c478ea2174b511caeead422a5 |
| SHA1 | f4b7d921405852b76fc1f3de4c0b7c6cc8c5b9aa |
| SHA256 | faf0efb5b052b9b99ce4019f00bb35b81add99190bfeb6caa2a601906bb1c9d3 |
| SHA512 | a59039c64424cbd7a09787fa626d8611e4cdb706aee5ac43d1917d8aa2671bbf14d5cda141ccd1ac4539e5bb55f239d4e6375141a9ccfbd58434427f26ce7e91 |
C:\ProgramData\Package Cache\{BF08E976-B92E-4336-B56F-2171179476C4}v14.30.30704\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | efe791ef7f55bfcd512d4aa57f19f317 |
| SHA1 | 557b5a508758842e077a89619afa781dd528ff30 |
| SHA256 | c1cf1eb63430975560a374126982a45f578c84025f6c83423b99d87c063bb3b3 |
| SHA512 | 3760b859d6e7c5e7a6e507ab1af61004b875b48a3f0bf972f9e34880332bdc3a5638dec6864317b4335e31de914092ec3b0eaf0501258b15853f1e8561d844ab |
C:\ProgramData\Package Cache\{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}v11.0.61030\packages\vcRuntimeMinimum_x86\cab1.cab.PLAY
| MD5 | 540b09a093d01807e98d8d51c9ddcb3b |
| SHA1 | 5c1e08e7fd2f75b94afe4db97d7c39cbd2a3f978 |
| SHA256 | 45a71786fbe3b81fd101d1377f6928cdd666623c2709b00b4f83fc56ec81d806 |
| SHA512 | e8ce533419b5cf9142d819b11f058449557dffcf7c91275e22e2a6a7e45c5f17e6a8e34c6b5f7d051c24d58b5cee7f055ac25295088a3a93db2d3f46a981bbb3 |
C:\ProgramData\Package Cache\{B175520C-86A2-35A7-8619-86DC379688B9}v11.0.61030\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | a80035bc4c5094c69e06fa9e8349ff96 |
| SHA1 | e6c2f7fa8dbb7cbe63f9d87db3217f7e4d9a33e3 |
| SHA256 | 074d0c117531ba9ffef6e45f621e682dac605259b29356a1bdcb570f401734d8 |
| SHA512 | 2674b54cedd937cd7d6a952b09342082b95706ad0296b6753a8947b405a60f988890514c526a907652a3de4dc14bf5d879dbd2f1f1ae865359038547753fc02c |
C:\ProgramData\Package Cache\{7DAD0258-515C-3DD4-8964-BD714199E0F7}v12.0.40660\packages\vcRuntimeAdditional_x86\cab1.cab.PLAY
| MD5 | 63b1b5443a7dcdb2c4c8ab4c3ee54dc4 |
| SHA1 | 57b90f8dbe115b95f974ea0115ffc3e24cfc6f94 |
| SHA256 | a289e473ba228005f6ae4b8b3984a954aec7d0deb7d20933263b08e519a4e887 |
| SHA512 | aa6a2be5b78f7199ad687edb796cba8268550fbd05f67ec625a71331a18fa1c314cb2902ccecb5e9550c02ed3a691c14a761df1db4dda1b6589de01c6e03ddbd |
C:\ProgramData\Package Cache\{6DB765A8-05AF-49A1-A71D-6F645EE3CE41}v14.30.30704\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | a16ba6fc14aaa62ee05dc9d6d81c4473 |
| SHA1 | 4e869dc63c98482ec66653dd5fefce8da3d7ca72 |
| SHA256 | ed0336147cfa7d4136ddeed6fc2248c4d22e14b5a61da88eb24c02d4353e6f58 |
| SHA512 | a6cfc8f7152b721bd2fda46971d0409d591c39953c85ecfb09381d34ab01b5933a4bc20490ea008e14e084af0d3587fe31ee3545111e65f118693fb34dd7e316 |
C:\ProgramData\Package Cache\{662A0088-6FCD-45DD-9EA7-68674058AED5}v14.30.30704\packages\vcRuntimeMinimum_amd64\cab1.cab.PLAY
| MD5 | fe0e8ad4ccec8af52392da9ea0be4779 |
| SHA1 | 0ff71e72e6d84bfd53695932212bfd385ffdbcaf |
| SHA256 | 89b114ae76dbf2503a4d8599bb3dca45224ba1fa5e661a308bdc75126ed008a8 |
| SHA512 | 3cb60bf37b812ad087c0349c5478302c9ed14ecf07154dcde54efba0b976b6b7830f7c9a8dfbb9991a9eb5afc87bd5e06856e5da1a15fcaa256572461379ee71 |
C:\ProgramData\Package Cache\{61087a79-ac85-455c-934d-1fa22cc64f36}\state.rsm.PLAY
| MD5 | 9bcafcfc95d128537332fe11d620bb7f |
| SHA1 | 5fb0cfbc7423ae088c596443018008e27852ab66 |
| SHA256 | c0b4a87392f5d88c3360761fc78293b752481ec3309bbc2bdcaec146ac935e91 |
| SHA512 | 419c138bc34113448230803279a1b58dc9bdc4cb1c998578fe3c4312d5f3765cf3103b5b0be9a86d467d00b53418985939d313c3cf8cdb9e1c899843cffcc86e |
C:\ProgramData\Package Cache\{57a73df6-4ba9-4c1d-bbbb-517289ff6c13}\state.rsm.PLAY
| MD5 | 45677d3f440064f2b73a224d0f9daba5 |
| SHA1 | f6c3e8bb657a05c6c0fcb105c623f9f822fb4589 |
| SHA256 | 6488f0831ba3bc941fdbfecfec0d61e54aff5b56e94e3c64d4b48ad297a1092f |
| SHA512 | c85ed8fa2044187a17d935aebb99ca2f658111c12d25bb2f329b68f5b85f3bd8949efc6d29a7d7991fa184f14beebd054935cff7af50849dd7486f0da954c0f1 |
C:\ProgramData\Package Cache\{5740BD44-B58D-321A-AFC0-6D3D4556DD6C}v12.0.40660\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | e292c71d5e1d626a00beaf961006f548 |
| SHA1 | fc0bf89478e6aba43b32f2b224eceebfab00d793 |
| SHA256 | 26f0ab36cbbe7429615986c5f23eed0c39b21a6a69ad2e5577a6433e406a541b |
| SHA512 | ca49b7ff2acde82c6fe49a150961932684dc7f5b1bed8b8e4b694ed99f50cdc3c96d5f2434bca504a28ffd8cf5a96b7503c2e3283bc30c657eb9d01de24a77b0 |
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\state.rsm.PLAY
| MD5 | 66590e896449d4cf6d80240c568e00a8 |
| SHA1 | 1d2bf1e524a70a1a5baa6d3fc1e940813ce94565 |
| SHA256 | bd202d622d6c7c143a56269040e12a861930097bfa370117230d4bcc1ec9b62a |
| SHA512 | 30711417242e26dd345a34e90202149a5187463ca779f3ae8e5644909c0dc54a40954dfa0201f5ed78ffa7384acb310ee4b265d4fdfca83f97243a03f674aaac |
C:\ProgramData\Package Cache\{37B8F9C7-03FB-3253-8781-2517C99D7C00}v11.0.61030\packages\vcRuntimeAdditional_amd64\cab1.cab.PLAY
| MD5 | 9f1a3836d07448a2025b8b67f8128d78 |
| SHA1 | 1cf23ae1ea0d94fa05a5002b708663417d4b2be0 |
| SHA256 | 6a7d49678d0ee472a7cfbb6a91be040704e9962d53be8f54b9e311084f0861d2 |
| SHA512 | 62dd426edb4eda296949b14eb32de5cc6ae4e9b0857af197dc862bc9b9a456b05d6054843709690b415166a31485d43802d7bfe2a62dd035ac1e1f08bc4325e0 |
C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\state.rsm.PLAY
| MD5 | 883b6e4394648aa5fe25687b05529ca9 |
| SHA1 | d87c460059d9c26ecad2f97f90b6f37430bbdb02 |
| SHA256 | 8cade6876d0eef2109018905adc16f254665bd07c65a2631357e9b8d415b9a33 |
| SHA512 | 7f67d76295cc1635961d8d77c9dad2ff8b697c4389a97ada2476517c3ce14715266f9d6837abd5c408e41daba080e704133e1f9b83bc152f644f19c9979be638 |
C:\ProgramData\Oracle\Java\installcache_x64\baseimagefam8.PLAY
| MD5 | b4e454698601c14bc03e6e823d191ee9 |
| SHA1 | c7553f461d200de0a289e5864d622005f68f675e |
| SHA256 | 6ae440a783028e373ad13a569075ae75a5773ed29ff9fa8bb6633990f897798c |
| SHA512 | 78c513be6d97812da901ab37ceae18f351cbdfb35a9e6264115a806db51e267f1e65762f85b294eb03fc821de2f1c7250c9fa0cc821751ed33a6208a14ec52f8 |
C:\ProgramData\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\308046B0AF4A39CB\update-config.json.PLAY
| MD5 | 3b9c764846f0d428188f24387732c028 |
| SHA1 | d7afb0d2732a8fddbd11163746a2ec35d9b515f9 |
| SHA256 | ce229bba9b8e21dcdfe30a390d2cb5c604ee07c48bbbb5bc3248e9c4b95ba438 |
| SHA512 | 9c0b83502d8483ee0ae41a68811f26b87b13700bb4c71bf234045de06248bdc9f429a56cd4c8777b5e0b509cef9a9142e6efdfb7858e949f28f00e070c3e3ea2 |
C:\ProgramData\Microsoft OneDrive\setup\refcount.ini.PLAY
| MD5 | ff39817697efbcf489f070f9f63d32e7 |
| SHA1 | 63c79355c040e44594d1ea763e8f8e13a1bae85e |
| SHA256 | 6f16705ab4780aee1d90fd16f03f2a7fd5ef359e6b648188e1d49bad5ae01da2 |
| SHA512 | 73e3e9566d3ad7fd2aa8cf31c95cf7638d43378dfe5b2025e8180421de93126e91c74dba0c112f5d6cc188aedfb56f4b4dd5408b1fe3bec27aace2c13af0292c |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\setup.ini.PLAY
| MD5 | ac787261fe0891de45a239b28dc92780 |
| SHA1 | 587799cbf59ef80bade9cd159ee3ea8d498a5ca0 |
| SHA256 | 28a95377a91895bf8058e25ec0697d0ffb5659a6d0d2f404a0b47cda2baa2fe3 |
| SHA512 | e4d7be8a5fb5e33d98dc7bee81626a220de25c617c8601a8bc2725a84a4d07283fa63781821ad833135cadeb73ccf5c11fa1f575a211c969434f11ac0757f77e |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\Data1.cab.PLAY
| MD5 | 93e6ce5c22cc13d7a4e156c67b2fd38b |
| SHA1 | be7f5c7f37885634bc1a1d78ae6da472bcc31049 |
| SHA256 | bf078ac812bda644b8ac3bf26c6adc6fe0b6e0613ad9e5e3097751eaf877bdf9 |
| SHA512 | 4b8d02a2ed8ea2d1d454a10bc7e392aad0fbcdae03dee75a53ad29b0f2c5bcaf133f2f835a165c342e2cbb2c77f6c79d99e992c53cb079025421bd958fd81c1d |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\AcroRdrDCUpd1901020069.msp.PLAY
| MD5 | 41017fd87a4c17c842f05589f18c5196 |
| SHA1 | 0e939590a971553831c06a72238a2bb1eebe0c1c |
| SHA256 | 6757936abe533e6bffbd59efb566756c47cf80c74213b1343af0728cf336ab03 |
| SHA512 | 3b8918430e3c15e605205deeb0f9fa8b632b82361c3be16e404d8a46e1b7526aace62b1a948aaaaf0b42467be0b7a33e0ee11f5f0f27539f4bf4c867286dd9a6 |
C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1033-7B44-AC0F074E4100}\abcpy.ini.PLAY
| MD5 | 33d017e908f614dc6e6e977d35dae62e |
| SHA1 | ffac5dc457a460bbc9bfb569ac9a2bb18fbce956 |
| SHA256 | 003212842448b307a67b3f5912a60d9b05457258b5a91a2ae26ecbb3a7c29794 |
| SHA512 | 409a13accc944527e3d36d296726f67e3b1f66153dcdad493789233605045446002f010dc58d89ebb4a2c2f2dc87b2dec637ad9915e01d79933bec18dabdf65c |
C:\ReadMe.txt
| MD5 | d68c3663b6249972448b5b0301e956ef |
| SHA1 | 6e67f24b05ff97fd18db7cadc41bbd0560177c01 |
| SHA256 | 93358da4757f6653ed513d9362f2ac44def6615a3a9b6c3a79f82faa81d89d3a |
| SHA512 | ce4ce796cfcce192ca38ed96f69a8ca40a5d5ac738decbeccd56d30235cb0b5e6057b27a37b1ec65ba21924ada685206687363e353bd7c265663c87bc843dca0 |